Again the FOSS world has proven to be vigilant and proactive in finding bugs and backdoors, IMHO. The level of transparency is stellar, especially compared to proprietary software companies. What the FOSS world has accomplished in 24 hours after detection of the backdoor code in #xz deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything NOW. Which would introduce even more risks. Progress is made iteratively. Learn, adapt, repeat.
Just FTR. The backdoor code was inserted only under very specific circumstances in the build process. Once the problem was identified and after initial analysis made it clear how it worked, immediate action was taken in a coordinated fashion. Affected builds/packages were removed, update systems for affected distributions started delivering forced downgrades. Users of these systems were informed. This all happened in public, in transparent and open ways. All in the first 24 hours. I tip my hat.
Now the mess is being cleaned up. AFAICS this exploit was NOT used in the wild by bad actors. So it wasn't even a 0day. The damage is limited, contained and being taken care of. In a coordinated way, across communities, companies and more organisations. Because we were prepared for the aftermath. We have learned form Heartbleed and other events. Our FOSS immune system works. And will learn from this incident. Peace.
I will let this tread rest for a while, as IMHO (In My Humble Opinion) everything we know ATM (At This Moment) is documented in the links I provided and besides making sure our machines have been updated (more precise: downgraded the xz package) there is not much we can do. I will NOT participate in speculations and potentially harmful spreading of rumours. And now I will be taking care of other things on this beautiful day. Thank you all for taking your time to read and comment!
As expected, a lot of motivated but not well-informed or qualified people in the comments are adding fuel to a fire that is effectively under control and almost extinguished, so when you read that FAQ, please ignore most of the comments under it.
@jwildeboer even more, 1000 eyes are now focussing on the wound, looking for damages and other infections. 1000 eyes that would otherwise do other things are focussing on the one wound, so it can heal.
Once a problem has been identified, the self-healing capabilities are typically given. This is the resilience that is needed for survival. And it is there.
That's the open-source spirit, and it is awesome 🤘👍
@jwildeboer yes… but. I’m now wondering if there are other instances we haven’t caught, or caught yet. Seems optimistic to assume that we’ve spotted a solitary instance of a very sophisticated approach to sneaking in back doors.
At a minimum, it might be time to revisit the practice of key signing parties and doing more to vet contributors.
@jzb@jwildeboer In the comments on this page on LWN, the person who discovered the issue himself says that the discovery was quite accidental -- so we do have to face the uncomfortable possibility that such things exist that haven't been caught.
@mkoek@jzb That’s always something we all have to be aware of. I am doing risk calculations for a living. You always need to assess the two most important vectors. #1 How can it be done? And more important #2 How high is the probability that it will be done? My problem with many discussions is that #2 is always put at 100% where in reality it is much, much lower.
@jwildeboer@jzb Definitely, but my point is: I'm not that confident that this is a demonstration of open source working to detect this stuff early. Yes in this case it's been caught early and not affecting many production systems yet. But, as the hero of this story himself says, it was a combination of coïncidences that led him to find the injection; each one of these circumstances not occuring would have resulted in this being missed.
@jzb What I am trying to say is that there are two sides here. Solving and cleaning up after it happened is #1. That is what I am talking about. #2, what you mention, is how to harden the FOSS ecosystem proactively to reduce the risk of stuff "hiding in plain sight" in FOSS. That's a far wider field with many more unknowns.
We just shouldn't mix the two things because that leads to open ending arguments and not to solutions, IMHO.
@jwildeboer Absolutely. From identifying the problem to having the fix on my computer, drawn from the official (Arch) repo, it took just about 3 hours. That's insanely fast.
@Natanox@jwildeboer Interestingly, the biggest obstacle to this process is GitHub unilaterally closing access to the relevant repository, preventing people to inspect the offending code and breaking links that people had already published during their research.
@jwildeboer
If we look, we can see the currently known advice was not followed. Now we don't need to attribute blame, but I've only been upset by folks using this to bash OpenSource in general. Both XZ the project and the contributor who seems to have taken the most explicit route possible to document adding malware, and many upstream projects including that code, can GTFO
@jwildeboer
> deserves a moment of humbleness. Instead we have flamewars and armchair experts shouting that we must change everything
You're the second person posting a sentiment like this, that I've seen, but the actual flamewars seem to elude me. Getting kinda curious what y'all are on about
Add comment